Low severityNVD Advisory· Published Jun 26, 2024· Updated Aug 1, 2024
Reflected XSS via X-October-Request-Handler Header
CVE-2024-25637
Description
October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | >= 3.2, < 3.5.15 | 3.5.15 |
Affected products
1- Range: >= 3.2, < 3.5.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rjw8-v7rr-r563ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25637ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.